[pkg-uWSGI-devel] Bug#995368: libapache2-mod-proxy-uwsgi - CVE-2021-36160 regression, altered PATH_INFO

philippe.accorsi at algoo.fr philippe.accorsi at algoo.fr
Sat Oct 9 21:13:30 BST 2021


Thanks for your answer but also thanks for the information about wrong 
configuration of apache.

I have tested both solution you explain here and both works good.

If I apply change in Apache configuration (like explain in the official 
documentation about "/") my app works good.
If I just apply your Debian patch, app works good also.

So, we wait for the debian patch for the oldest installation and I now 
can create a fix for Tracim project about wrong usage of "/" in apache2 

Thanks a lot for your solution :) :) :)

Best regards.
Sys Admin Algoo

Le 2021-10-09 18:04, Sylvain Beucler a écrit :
> Hi,
> On 05/10/2021 18:41, Sylvain Beucler wrote:
>> forwarded 995368 https://bz.apache.org/bugzilla/show_bug.cgi?id=65616
> The Apache developers say there's an incorrect configuration in the
> first place.  For example,
> ProxyPassMatch ^/ui uwsgi://
> should be
> ProxyPassMatch ^/ui uwsgi://
> following the warning about slashes in the documentation:
> http://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass
> However, they are currently considering an additional patch to restore
> the previous (less strict) behavior.
> Philippe, Josef, I prepared a build with the new patch, so you can test 
> early:
> https://people.debian.org/~beuc/lts/uwsgi/
> https://people.debian.org/~beuc/lts/uwsgi/libapache2-mod-proxy-uwsgi_2.0.14+20161117-3+deb9u5_amd64.deb
> I'm interested in your feedback.
> Cheers!
> Sylvain Beucler
> Debian LTS Team

More information about the pkg-uWSGI-devel mailing list